Systems and methods for probabilistic data classification

ABSTRACT

A system for performing data classification operations. In one embodiment, the system comprises a file system configured to store a plurality of computer files and a scanning agent configured to traverse the file system and compile data regarding the attributes and content of the plurality of computer files. The system also comprises an index configured to store the data regarding attributes and content of the plurality of computer files and a file classifier configured to analyze the data regarding the attributes and content of the plurality of computer files and to classify the plurality of computer files into one or more categories based on the data regarding the attributes and content of the plurality of computer files.

RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No. 12/022,676, filed Jan. 30, 2008, titled SYSTEMS AND METHODS FOR PROBALISTIC DATA CLASSIFICATION, which is hereby incorporated herein by reference in its entirety.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The field of the invention relates to systems and methods for performing data classification operations.

2. Description of the Related Art

As modern enterprise environments trend towards a paperless workplace, electronic data is often created at a high rate. This electronic data takes a variety of forms which may include emails, documents, spreadsheets, images, databases, etc. Businesses have a need to effectively classify and organize all of this electronic data.

However, it can be extremely difficult to accurately classify large amounts of data in ways which are time and cost effective. Existing solutions have typically allowed a user to classify files in at least one of two ways. The user can manually view each file and determine the appropriate classification. While this can be a relatively accurate method of categorizing data, it quickly becomes expensive and impractical as the volume of data-to-be-classified increases.

Alternatively, files can be classified using an explicit set of rules defined by the user. For example, a data classification rule may be based on inclusion of a keyword or a small set of keywords. With this approach, the classification of files can be done by machine, but the use of explicit rules tends to be a relatively inaccurate method of classifying non-homogeneous files and can result in many false classifications.

SUMMARY OF THE INVENTION

Therefore, there is a need for more accurate automated systems for classifying and organizing the large amounts of computer data which exist in modern enterprise environments.

One embodiment of the invention comprises a file system configured to store a plurality of computer files; a scanning agent configured to traverse the file system and compile data regarding the attributes and content of the plurality of computer files; an index configured to store the data regarding attributes and content of the plurality of computer files; and a file classifier configured to analyze the data regarding the attributes and content of the plurality of computer files and to classify the plurality of computer files into one or more categories based on the data regarding the attributes and content of the plurality of computer files.

Another embodiment of the invention comprises a method of traversing a file system and compiling data regarding attributes and content of a plurality of computer files stored in the file system; storing the data regarding attributes and content of the plurality of computer files in an index; analyzing the data regarding the attributes and content of the plurality of computer files; and classifying the plurality of computer files into one or more categories based on the data regarding the attributes and content of the plurality of computer files.

Another embodiment of the invention comprises means for traversing a file system and compiling data regarding attributes and content of a plurality of computer files stored in the file system; means for storing the data regarding attributes and content of the plurality of computer files in an index; means for analyzing the data regarding the attributes and content of the plurality of computer files; and means for classifying the plurality of computer files into one or more categories based on the data regarding the attributes and content of the plurality of computer files.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic representation of a data classification system.

FIG. 2 is a flowchart for performing classification operations on data files.

FIG. 3 is a schematic illustration of an embodiment of a data storage system for performing data storage operations for one or more client computers into which may be integrated a data classification system.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

As discussed previously, there can be tradeoffs involved in performing electronic data classification. Electronic data classification can be performed manually with relatively good accuracy, but the process is slow and expensive. This type of process can be referred to as supervised classification. In other cases, data classification can be performed in an automated manner, but if done using explicit rules only, automated classification can result in relatively poor accuracy. This can be referred to as unsupervised classification. In still other cases, techniques can be used which result in semi-supervised classification.

Semi-supervised classification techniques may rely on some degree of human input to train a machine to recognize various categories of data. Once the machine has been trained, it can perform data classification operations independent of further human intervention. Semi-automated techniques of this sort can result in greater accuracy than more simplistic automated methods which rely solely on explicit rules. One example of a semi-supervised data classification technique of this sort is a Naïve Bayes classifier. Naïve Bayes classifiers have found use in certain email systems to help in rejecting unwanted, or “spam,” messages as they arrive over a network at an email server, for example, but not to existing files stored in a computer system.

Apart from the filtering of incoming email messages, significant benefits can be had from applying the Naïve Bayes method, as well as other classification methods, to data that is already stored in a computer system. In particular, there are tremendous advantages to be had from applying data classification methods to large-scale computing systems with tremendous amounts of stored data. These advantages include, among others, using automated data classification methods classification to place proper security restrictions on access to certain files (this may be required by law in certain instances, such as in the case of medical records or private personnel information) or to control the location where a file is stored or backed up so that it can be located at a later date. Classification of data can also be useful in determining whether certain files should be deleted entirely, backed up in relatively fast access storage media, or permanently archived in slower access media.

Therefore, it would be advantageous to have an automated system, with improved accuracy, for carrying out file classification operations on the data stored in a business' computing system. In certain preferred embodiments of the invention, such an automated system would perform data classification on a substantial portion of a business' stored files on an enterprise-wide, cross-platform scope.

Just as there are many reasons to classify files, there are also many schemes of doing so. Generally speaking, the task of data classification is to assign electronic data to one or more categories based on content or characteristics of the data. In some cases, files may be grouped according to common characteristics such as file size or file extension. In other cases, files could be grouped with more sophisticated techniques according to subject matter. Many other classification schemes also exist and it should be understood that embodiments of the invention can be adapted to use a wide variety of classification schemes.

FIG. 1 is a schematic representation of an automated system for performing data classification on electronic files according to one embodiment of the invention. The file servers 120, which can include or be coupled to electronic data storage devices, handle I/O requests to a file system shared by a plurality of client computers (not shown) in a business' computing system. The client computers can be coupled to the file servers 120 via the Local Area Network (LAN) 190, or in any other way known in the art. In this way, the file servers 120 house a substantial portion of a business' electronic data, which is accessible to a plurality of client computers via the network 190.

In other embodiments, the shared data storage capacity could take a form other than shared file servers. For example, shared storage devices could be coupled to a plurality of client computers via a Storage Area Network (SAN) or a Network Attached Storage (NAS) unit. Other shared electronic data storage configurations are also possible.

In one embodiment, each file server 120 may include a file system scanning agent 110. The file system scanning agents 110 can systematically traverse data housed by a corresponding file server 120. The file system scanning agents 110 can access electronic files and compile information about the characteristics of the files, the content of the files, or any other attribute of interest that could serve as the basis for categorizing the electronic files. Filesystem classification agents 110 can be configured to operate with any type of filesystem.

Furthermore, while the file system scanning agents 110 are illustrated as modules operating within the file servers 120, in other embodiments the file system scanning agents 110 can be separate devices coupled to file servers 120 via a network 190. In still other embodiments, file system scanning agents 110 can be made capable of directly accessing data storage devices shared by a plurality of client computers over the network 190, such as via SAN networks or NAS units. The file system scanning agents can be implemented in any combination of hardware and software.

As file system scanning agents 110 compile information about file characteristics, content, etc., the information can be shared with a file indexing service 150 which can maintain databases, such as a file attribute index 170 and a file content index 180, to store the information. In some embodiments, the file attribute index 170 can be combined with the file content index 180, or the two indexes can be implemented as a number of sub-indexes. In one embodiment, the file indexing service 150 may be a module operating on an Intelligent File Classifier (IFC) server 130 and information can be exchanged between the file system scanning agents 110 and the file indexing service 150 via the network 190.

The IFC server 130 can include a data processor and electronic memory modules. The IFC server may also include a file classifier program 140 module which can access the file attribute 170 and the file content 180 indexes and classify electronic data files as members of various categories, according to the methods described below. The IFC server 130 may also include a user interface 160 to allow a user to input the characteristics or content of a category of interest and to view a listing of the designated member files of a data classification operation performed by the file classifier program 140. The user interface 160 may comprise any type of user interface known in the art, such as an I/O terminal coupled to the IFC server 130 or a web server to allow a user to remotely access the IFC server 130.

FIG. 2 is a flowchart which represents an exemplary method of performing data classification operations using the system illustrated in FIG. 1. At block 210 a file system scanning agent 110 traverses a file system and compiles information regarding the attributes and content of electronic files stored in the filesystem. In some embodiments, the file system scanning agents 110 may have access to a database which indicates the date that a particular file's attributes and content were last gathered. In these embodiments, the file system scanning agents 110 may determine whether this date came after the last known modification to the file, in which case the file system scanning agent 110 may be configured to skip the current file and move on to the next available file.

In other embodiments, the file system scanning agents 110 may be notified any time a file is created or modified so that the new or modified file's attributes and contents can be compiled or updated. The file system scanning agents 110 may be notified of these events by file system drivers whenever a file system I/O request is made, by a packet sniffer coupled to a network which scans the contents of data packets transmitted over the network to determine when a file is created or modified, or using any other technique known in the art.

File attributes compiled by the file system scanning agents 110 may include, but are not limited to, the file name, its full directory path, size, type, dates of last modification and access, or other types of metadata. The file attribute information may be transmitted to a file indexing service 150 to be stored in a file attribute index 170. This index may take the form of a relational database which can be searched by any attribute entry or combination of attributes. In certain embodiments, the file attribute index 170 can be a centralized database managed by a file indexing service 150 which receives file attribute and content information from a plurality sources. The file attribute index 170 may also include information regarding the categories to which a particular file is presently marked as belonging to, or has been marked as having belonged to in the past.

The file system scanning agents 110 can also analyze data files to catalog their content. For example, if the file includes text, the file system scanning agents 110 may create a list of keywords found within the file as well as frequency counts for each of the keywords. If the file is not a text file but rather an image of a document, the classification element 312 may first perform an optical character recognition (OCR) operation before creating keyword lists and frequency counts. The file content information may be transmitted to a file indexing service 150 to be stored in a file content index 180. The file content index 180 may take the form of a searchable database which contains the keyword lists and frequency counts gathered by the file system scanning agents 110 as well as logical mappings of keywords to the files in which they are found. Much like the file attribute index 170, it may be advantageous for the file content index to be managed by a file indexing service 150 which receives file attribute and content information from a plurality of sources.

The file content index 180 may be searched by file, producing a list of keywords for the file. The file content index 180 may also be searched by keyword, producing a list of files which contain that word. This type of search result can include a relevance ranking which orders the list of files which contain the search term by the frequency with which they appear in the file. Other methods of cataloguing and searching the file content index 180 can also be used.

Other types of files besides text-containing documents can be analyzed for content as well. For example, digital image processing techniques can be used to scan image files for certain image features using object recognition algorithms to create a catalogue of features that are identified. Similarly, audio files could be scanned to catalogue recognizable features. In fact, the file system scanning agents 110 can be used to analyze any file type for any type of content to the extent that there exists a method for performing such analysis. In any case, a catalogue of the identified file content can be kept in the file content index 180.

At block 220, a file system scanning agent 110 transmits file attribute and content information to the file indexing service 150. At block 230, the file indexing service 150 stores that information in the appropriate index. Files stored by the file servers 120 can classified, or designated as members of a defined category, based on the information in these indexes. The classification of a file can be based on information from the file attribute index 170, the file content index 180, or some combination of both.

As described above, some classification techniques are semi-supervised in that they rely on some degree of human input to train a machine to recognize various categories of data before. Once the machine has been trained, it can perform data classification operations substantially independent of further human intervention. Blocks 240, 250, and 260 represent an embodiment of a method for training an automated data classification system which employs semi-supervised classification techniques. Embodiments of the invention will be described below primarily in terms of a Naïve Bayes classification algorithm, however neural networks or strict Bayesian networks are also suitable candidates. Other types of classifiers or algorithms can also be used.

For example, it should be understood that fully supervised and fully unsupervised classification techniques can be advantageously used in certain embodiments of the invention. One embodiment of the invention may use a set of explicit user-defined rules to decrease the number of files to which a more computationally expensive classification method is then applied. For example, a user may wish to identify only recent files belonging to a particular category. In such a case, an explicit rule requiring a file to have been modified no longer than thirty days previously could be used to decrease the number of candidate files to be analyzed using a Naïve Bayes algorithm, which uses a more computationally complex calculation to determine a probability that a particular file belongs to the desired category.

At block 240, a user creates a name for a particular category of data, members of which he or she would like to locate amongst the mass of data stored in file servers 120 or some other type of shared storage device accessible to a plurality of client computers. This can be done with the user interface 160 of the IFC server. At block 250, the user can select sample files from the file attribute 170 and file content 180 indexes which are properly designated as members of the category of data which the user wishes to identify. These sample files can constitute a training set of data which allows the file classifier program 140 to “learn” how to identify files stored by the file servers 120 which are members of the desired category. Using this training set of data, the file classifier program 140 computes, at block 260, a set of classification rules that can be applied to the files from the file attribute 170 and file content 180 indexes which were not included in the training set.

At block 270, the set of test data is used to calculate a probability that a file belongs to the desired category. This can be done for each file indexed by the indexing service 150 that lies outside the training set selected by the user. Finally, at block 280, the user interface 160 can format the results of the classification operation and present the results to the user. For example, the user interface 160 can present a list of each file which was determined by the file classifier program 140 to belong to a desired category.

Some classification techniques, such as a Naïve Bayes algorithm, may output a probability that a given unclassified file should be marked as belonging to a certain category. In these embodiments, the determination that a file belongs to a particular category may be based on the calculated probability of the file belonging to the category exceeding a threshold. A determination can be made whether the probability is high enough to risk a mistaken classification and justify classifying the file as a member of the category in question. In such cases, the file classifier program 140 may be configured to mark the file as a member of the category if the probability exceeds a user-defined threshold.

For example, a user might configure the classification element to mark a file as a member of a category only if the calculated probability is greater than 85%. In cases where the accuracy of the classification operation IS critical and where the calculated probability falls short of the threshold by a relatively small margin, the file classifier program may be configured to mark the file as being a questionable member of the category and allow a user to view the file to determine whether it should or should not be designated as a member of the category in question.

Once the file has been classified, it may be labeled as a member of the designated category in the file attribute index. A file may be classified as a member of more than one category. In some embodiments, a category of files may be defined temporarily by a user query. In other embodiments, a category of files can be defined on a relatively permanent basis and new files which meet the criteria of the category previously calculated by the file classifier program 140 on the basis of a training set of data can be automatically added to the category as they are created or modified.

A specific example of a Naïve Bayes classifier, according to one embodiment of the invention, will now be given based on the training data in the following chart.

Contains Belongs to “Personnel File Name File Size <1 KB? Keyword “SSN”? Records” Category? Foo.doc Yes Yes Yes Bar.doc No Yes Yes Bas.doc Yes No No Qux.doc Yes No No Quux.doc No Yes Yes

In the above training set of data, five files have been marked by a user as belonging, or not belonging, to a category called “Personnel Records.” The training data includes both members (Foo.doc, Bar.doc, and Quux.doc) of the desired category, as well as non-members (Bas.doc and Qux.doc). In this example, the data on whether each of the files in the training set is smaller than 1 KB can be obtained from the file attribute index 170. The data on whether each file contains the keyword “SSN” can be obtained from the file content index 180.

Based on this information, the file classifier program 140 can calculate a probability that files smaller than 1 KB are members of the “Personnel Records” category. Based on the above training data, one out of three files which are smaller than 1 KB are also members of the “Personnel Records” category, for a probability of 33%. The file classifier program 140 can also calculate a probability that files which contain the keyword “SSN” are members of the “Personnel Records” category. Three out of three files which contain the keyword “SSN” are also members of the “Personnel Records” category. This leads to a calculated probability of 100% that a file belongs to the “Personnel Records” category if it contains the keyword “SSN.”

An overall probability that a file belongs to the desired category can also be calculated from the training set of data. In this case, three out of the five files in the training set are members of the “Personnel Records” category for an overall probability of membership of 60%. Using these probabilities, the file classifier program can analyze whether files outside the training set are smaller than 1 KB or contain the keyword “SSN,” and then determine the probability that the file belongs to the “Personnel Records” category using Bayes Theorem, or similar method.

In general, the larger the training set of data and the more representative it is of a cross-section of files in the file system in terms of attributes, content, and membership in the desired category, the more accurate will be the results obtained from the classification operation performed by the file classifier program 140 when using a Naïve Bayes algorithm. However, other characteristics of a training set of data can be emphasized in embodiments of the invention which use other classification algorithms.

Once the file classifier program 140 has finished classifying a file, some course of action may be taken by the IFC server 130 based on the outcome of the file classification operation. In some cases the course of action may be pre-determined and user-defined. In this type of embodiment, IFC server 130 may include a database that contains a list of classification outcomes, such as “File Classified as Personnel Information,” as well as a corresponding action to be performed when the associated classification outcome occurs. In other embodiments, the IFC server 130 may include learning algorithms to independently determine what course of action to take after a classification operation is completed based on its past experience or based on a set of training data that has been provided to guide its actions.

One action that could be taken by the IFC server 130 based on a file classification outcome is changing access permissions on a file based on the sensitivity of the category to which it belongs. It may be desirable to limit access of the file to certain users of the host computing system for any number of reasons: the file may contain sensitive personal employee information, trade secrets, confidential financial information, etc.

Another action that could be taken by the IFC server 130 based on a file classification outcome is to change the backup or archive schedule for the file. Certain categories of files may be classified as non-critical. It may be preferable to backup these types of files less regularly in order to conserve system resources. In addition, these files may be migrated to slower access storage sooner than would be the case for more important files, or possibly never. Other categories of files may be classified as critical data. As such, it will likely be desirable to regularly backup these files and possibly maintain them in fast access memory for an extended period of time.

In addition, it would be possible to carefully create and manage a schedule for permanently archiving these files due to the critical information they contain. In embodiments of the invention where the results of a data classification operation are used to influence how certain categories of information are backed up or archived, it may be beneficial to integrate a data classification system, such as the one illustrated in FIG. 1, with a data storage and backup system. Many different types of data storage and backup systems can be used for this purpose. However, an exemplary data storage and backup system which can be modified to include a data classification system is illustrated in FIG. 3.

FIG. 3 illustrates a storage cell building block of a modular data storage and backup system. A storage cell 350 of a data storage system performs storage operations on electronic data for one or more client computers in a networked computing environment. The storage system may comprise a Storage Area Network (SAN), a Network Attached Storage (NAS) system, a combination of the two, or any other storage system at least partially attached to a host computing system and/or storage device by a network. Besides operations that are directly related to storing electronic data, the phrase “storage operation” is intended to also convey any other ancillary operation which may be advantageously performed on data that is stored for later access.

Storage cells of this type can be combined and programmed to function together in many different configurations to suit the particular data storage needs of a given set of users. Each storage cell 350 may participate in various storage-related functions, such as backup, data migration, quick data recovery, etc. In this way storage cells can be used as modular building blocks to create scalable data storage and backup systems which can grow or shrink in storage-related functionality and capacity as a business' needs dictate. This type of system is exemplary of the CommVault QiNetix system, and also the CommVault GALAXY backup system, available from CommVault Systems, Inc. of Oceanport, N.J. Similar systems are further described in U.S. patent applications Ser. Nos. 09/610,738 AND 111120,619, which are hereby incorporated by reference in their entirety.

As shown, the storage cell 350 may generally comprise a storage manager 300 to direct various aspects of data storage operations and to coordinate such operations with other storage cells. The storage cell 350 may also comprise a data agent 395 to control storage and backup operations for a client computer 385 and a media agent 305 to interface with a physical storage device 315. Each of these components may be implemented solely as computer hardware or as software operating on computer hardware.

Generally speaking, the storage manager 300 may be a software module or other application that coordinates and controls storage operations performed by the storage operation cell 350. The storage manager 300 may communicate with some or all elements of the storage operation cell 350 including client computers 385, data agents 395, media agents 305, and storage devices 315, to initiate and manage system backups, migrations, and data recovery. If the storage cell 350 is simply one cell out of a number of storage cells which have been combined to create a larger data storage and backup system, then the storage manager 300 may also communicate with other storage cells to coordinate data storage and backup operations in the system as a whole.

In one embodiment, the data agent 395 is a software module or part of a software module that is generally responsible for archiving, migrating, and recovering data from a client computer 385 stored in an information store 390 or other memory location. Each client computer 385 may have at least one data agent 395 and the system can support multiple client computers 385. In some embodiments, data agents 395 may be distributed between a client 385 and the storage manager 300 (and any other intermediate components (not shown)) or may be deployed from a remote location or its functions approximated by a remote process that performs some or all of the functions of data agent 395.

Embodiments of the storage cell 350 may employ multiple data agents 395 each of which may backup, migrate, and recover data associated with a different application. For example, different individual data agents 395 may be designed to handle Microsoft Exchange data, Lotus Notes data, Microsoft Windows file system data, Microsoft Active Directory Objects data, and other types of data known in the art. Other embodiments may employ one or more generic data agents 395 that can handle and process multiple data types rather than using the specialized data agents described above.

Generally speaking, a media agent 305 may be implemented as software module that conveys data, as directed by a storage manager 300, between a client computer 385 and one or more storage devices 315 such as a tape library, a magnetic media storage device, an optical media storage device, or any other suitable storage device. The media agent 305 controls the actual physical level data storage or retrieval to and from a storage device 315. Media agents 305 may communicate with a storage device 315 via a suitable communications path such as a SCSI or fiber channel communications link. In some embodiments, the storage device 315 may be communicatively coupled to a data agent 305 via a SAN or NAS system, or a combination of the two.

It should be appreciated that any given storage cell in a modular data storage and backup system, such as the one described, may comprise different combinations of hardware and software components besides the particular configuration illustrated in FIG. 3. Furthermore, in some embodiments, certain components may reside and execute on the same computer. A storage cell may also be adapted to include extra hardware and software for performing additional tasks in the context of a data storage and backup system. In particular, storage operation cells may include hardware and software for performing file classification operations. In particular, the storage cell 350 may be modified to include a file system scanning agent 110 and an IFC server 130.

The IFC server 130 may comprise a file classifier program 140, a file indexing service 150, and a user interface 160. Each of these components may function substantially in accordance with the description of these components set forth above with reference to FIGS. 1 and 2. However, certain modification to these components may be dictated by the configuration of the computing system into which they are being incorporated. In these instances it is within the ability of one of ordinary skill in the art to make these adaptations.

Preferred embodiments of the claimed inventions have been described in connection with the accompanying drawings. While only a few preferred embodiments have been explicitly described, other embodiments will become apparent to those of ordinary skill in the art of the claimed inventions based on this disclosure. Therefore, the scope of the disclosed inventions is intended to be defined by reference to the appended claims and not simply with regard to the explicitly described embodiments of the inventions. 

1. A computer system comprising: a file system configured to store a plurality of computer files; a plurality of scanning agents configured to traverse the file system and compile data regarding the attributes and content of the plurality of computer files; and a file classifier configured to analyze the data regarding the attributes and content of the plurality of computer files and to classify the plurality of computer files based on a calculated probability that a file should be classified as a member of a category, wherein the calculated probability is based at least in part on the data regarding the attributes or content of the plurality of computer files. 